Index: user/ngie/detangle-rc/etc/rc.d/Makefile =================================================================== --- user/ngie/detangle-rc/etc/rc.d/Makefile (revision 299103) +++ user/ngie/detangle-rc/etc/rc.d/Makefile (revision 299104) @@ -1,319 +1,332 @@ # $FreeBSD$ .include FILESGROUPS= FILES FILESDIR= /etc/rc.d FILESMODE= ${BINMODE} FILES= DAEMON \ FILESYSTEMS \ + FIREWALL \ LOGIN \ NETWORKING \ SERVERS \ abi \ addswap \ adjkerntz \ archdep \ auditd \ auditdistd \ bgfsck \ ${_bluetooth} \ bridge \ ${_bthidd} \ cleanvar \ cleartmp \ cron \ ctld \ ddb \ defaultroute \ devd \ devfs \ dhclient \ dmesg \ dumpon \ fsck \ gbde \ geli \ geli2 \ gptboot \ growfs \ gssd \ ${_hcsecd} \ hostid \ hostid_save \ hostname \ iovctl \ - ipfilter \ - ipfs \ - ipfw \ - ipmon \ - ipnat \ ipsec \ ${_kadmind} \ ${_kdc} \ ${_kfd} \ kld \ kldxref \ ${_kpasswdd} \ ldconfig \ local \ localpkg \ lockd \ mixer \ motd \ mountcritlocal \ mountcritremote \ mountlate \ mdconfig \ mdconfig2 \ mountd \ msgs \ - natd \ netif \ netoptions \ netwait \ newsyslog \ nfsclient \ nfscbd \ nfsd \ nfsuserd \ nisdomain \ ${_nscd} \ nsswitch \ ntpdate \ ${_opensm} \ - pf \ - pflog \ - pfsync \ ppp \ pppoed \ pwcheck \ quota \ random \ rarpd \ rctl \ resolv \ rfcomm_pppd_server \ root \ routing \ rpcbind \ savecore \ sdpd \ securelevel \ serial \ sppp \ statd \ static_arp \ - static_ndp \ stf \ swap \ swaplate \ sysctl \ syslogd \ tmp \ ${_ubthidhci} \ ugidfw \ ${_utx} \ var \ watchdogd \ ypbind \ yppasswdd \ ypserv \ ypset \ ypupdated \ ypxfrd \ .if ${MK_ACCT} != "no" FILESGROUPS+= ACCT ACCT+= accounting ACCTPACKAGE= acct .endif .if ${MK_ACPI} != "no" FILESGROUPS+= ACPI ACPI= power_profile ACPIPACKAGE= acpi .endif .if ${MK_ACPI} != "no" || ${MK_APM} != "no" FILES+= powerd .endif .if ${MK_AMD} != "no" FILESGROUPS+= AMD AMD+= amd AMDPACKAGE= amd .endif .if ${MK_APM} != "no" FILESGROUPS+= APM APM+= apm APM+= apmd APMPACKAGE= apm .endif .if ${MK_ATM} != "no" FILESGROUPS+= ATM ATM+= atm1 ATM+= atm2 ATM+= atm3 ATMPACKAGE= atm .endif .if ${MK_AUTOFS} != "no" FILES+= automount FILES+= automountd FILES+= autounmountd .endif .if ${MK_BLUETOOTH} != "no" _bluetooth= bluetooth _bthidd= bthidd _hcsecd= hcsecd _ubthidhci= ubthidhci .endif .if ${MK_BOOTPARAMD} != "no" FILES+= bootparams .endif .if ${MK_BSNMP} != "no" FILESGROUPS+= BSNMP BSNMP+= bsnmpd BSNMPPACKAGE= bsnmp .endif .if ${MK_CCD} != "no" FILES+= ccd .endif .if ${MK_FTP} != "no" FILES+= ftpd .endif .if ${MK_HAST} != "no" FILESGROUPS+= HAST HAST= hastd HASTPACKAGE= hast .endif .if ${MK_INET6} != "no" FILES+= ip6addrctl FILES+= route6d FILES+= rtadvd FILES+= rtsold +FILES+= static_ndp .endif .if ${MK_INETD} != "no" FILES+= inetd .endif +.if ${MK_IPFILTER} != "no" +FILESGROUPS+= IPFILTER +IPFILTER+= ipfilter +IPFILTER+= ipmon +IPFILTER+= ipnat +IPFILTER+= ipfs +IPFILTERPACKAGE= ipfilter +.endif + +.if ${MK_IPFW} != "no" +FILESGROUPS+= IPFW +IPFW+= ipfw +IPFW+= natd +IPFWPACKAGE= ipfw +.endif + .if ${MK_ISCSI} != "no" FILES+= iscsictl FILES+= iscsid .endif .if ${MK_JAIL} != "no" FILESGROUPS+= JAIL JAIL+= jail JAILPACKAGE= jail .endif .if ${MK_LEGACY_CONSOLE} != "no" FILES+= moused FILES+= syscons .endif .if ${MK_LPR} != "no" FILES+= lpd .endif .if ${MK_KERBEROS} != "no" FILES+= ipropd_master FILES+= ipropd_slave _kadmind= kadmind _kdc= kdc _kfd= kfd _kpasswdd= kpasswdd .endif .if ${MK_MAIL} != "no" FILES+= othermta .endif .if ${MK_NS_CACHING} != "no" _nscd= nscd .endif .if ${MK_NTP} != "no" FILES+= ntpd .endif .if ${MK_OFED} != "no" _opensm= opensm .endif .if ${MK_OPENSSL} != "no" FILES+= keyserv .endif .if ${MK_OPENSSH} != "no" FILESGROUPS+= SSH SSH= sshd SSHPACKAGE= ssh .endif .if ${MK_PF} != "no" -FILES+= ftp-proxy +FILESGROUPS+= PF +PF+= ftp-proxy +PF+= pf +PF+= pflog +PF+= pfsync +PFPACKAGE= pf .endif .if ${MK_RCMDS} != "no" FILESGROUPS+= RCMDS RCMDS+= rwho RCMDSPACKAGE= rcmds .endif .if ${MK_ROUTED} != "no" FILES+= routed .endif .if ${MK_SENDMAIL} != "no" FILESGROUPS+= SMRCD SMRCD= sendmail SMRCDPACKAGE= sendmail .endif .if ${MK_TIMED} != "no" FILES+= timed .endif .if ${MK_UNBOUND} != "no" FILESGROUPS+= UNBOUND UNBOUND+= local_unbound UNBOUNDPACKAGE= unbound .endif .if ${MK_UTMPX} != "no" _utx= utx .endif .if ${MK_VI} != "no" FILESGROUPS+= VI VI+= virecover VIPACKAGE= vi .endif .if ${MK_WIRELESS} != "no" FILES+= hostapd FILES+= wpa_supplicant .endif .if ${MK_ZFS} != "no" FILESGROUPS+= ZFS ZFS+= zfs ZFS+= zvol ZFSPACKAGE= zfs .endif .include Index: user/ngie/detangle-rc/etc/rc.d/NETWORKING =================================================================== --- user/ngie/detangle-rc/etc/rc.d/NETWORKING (revision 299103) +++ user/ngie/detangle-rc/etc/rc.d/NETWORKING (revision 299104) @@ -1,12 +1,12 @@ #!/bin/sh # # $FreeBSD$ # # PROVIDE: NETWORKING NETWORK -# REQUIRE: netif netwait netoptions routing ppp ipfw stf +# REQUIRE: netif netwait netoptions routing ppp stf # REQUIRE: defaultroute resolv bridge -# REQUIRE: static_arp static_ndp +# REQUIRE: static_arp # This is a dummy dependency, for services which require networking # to be operational before starting. Index: user/ngie/detangle-rc/etc/rc.d/ipfilter =================================================================== --- user/ngie/detangle-rc/etc/rc.d/ipfilter (revision 299103) +++ user/ngie/detangle-rc/etc/rc.d/ipfilter (revision 299104) @@ -1,90 +1,91 @@ #!/bin/sh # # $FreeBSD$ # -# PROVIDE: ipfilter +# PROVIDE: ipfilter FIREWALL # REQUIRE: FILESYSTEMS +# BEFORE: netif # KEYWORD: nojail . /etc/rc.subr name="ipfilter" desc="IP packet filter" rcvar="ipfilter_enable" load_rc_config $name stop_precmd="test -f ${ipfilter_rules} -o -f ${ipv6_ipfilter_rules}" start_precmd="$stop_precmd" start_cmd="ipfilter_start" stop_cmd="ipfilter_stop" reload_precmd="$stop_precmd" reload_cmd="ipfilter_reload" resync_precmd="$stop_precmd" resync_cmd="ipfilter_resync" status_precmd="$stop_precmd" status_cmd="ipfilter_status" extra_commands="reload resync" required_modules="ipl:ipfilter" ipfilter_start() { echo "Enabling ipfilter." if ! ${ipfilter_program:-/sbin/ipf} -V | grep -q 'Running: yes'; then ${ipfilter_program:-/sbin/ipf} -E fi ${ipfilter_program:-/sbin/ipf} -Fa if [ -r "${ipfilter_rules}" ]; then ${ipfilter_program:-/sbin/ipf} \ -f "${ipfilter_rules}" ${ipfilter_flags} fi if [ -r "${ipv6_ipfilter_rules}" ]; then ${ipfilter_program:-/sbin/ipf} -6 \ -f "${ipv6_ipfilter_rules}" ${ipfilter_flags} fi } ipfilter_stop() { if ${ipfilter_program:-/sbin/ipf} -V | grep -q 'Running: yes'; then echo "Saving firewall state tables" ${ipfs_program:-/sbin/ipfs} -W ${ipfs_flags} echo "Disabling ipfilter." ${ipfilter_program:-/sbin/ipf} -D fi } ipfilter_reload() { echo "Reloading ipfilter rules." ${ipfilter_program:-/sbin/ipf} -I -Fa if [ -r "${ipfilter_rules}" ]; then ${ipfilter_program:-/sbin/ipf} -I \ -f "${ipfilter_rules}" ${ipfilter_flags} if [ $? -ne 0 ]; then err 1 'Load of rules into alternate set failed; aborting reload' fi fi if [ -r "${ipv6_ipfilter_rules}" ]; then ${ipfilter_program:-/sbin/ipf} -I -6 \ -f "${ipv6_ipfilter_rules}" ${ipfilter_flags} if [ $? -ne 0 ]; then err 1 'Load of IPv6 rules into alternate set failed; aborting reload' fi fi ${ipfilter_program:-/sbin/ipf} -s } ipfilter_resync() { ${ipfilter_program:-/sbin/ipf} -y ${ipfilter_flags} } ipfilter_status() { ${ipfilter_program:-/sbin/ipf} -V } run_rc_command "$1" Index: user/ngie/detangle-rc/etc/rc.d/ipfs =================================================================== --- user/ngie/detangle-rc/etc/rc.d/ipfs (revision 299103) +++ user/ngie/detangle-rc/etc/rc.d/ipfs (revision 299104) @@ -1,52 +1,53 @@ #!/bin/sh # # $FreeBSD$ # # PROVIDE: ipfs # REQUIRE: ipnat +# BEFORE: netif # KEYWORD: nojail shutdown . /etc/rc.subr name="ipfs" desc="Saves and restores information for NAT and state tables" rcvar="ipfs_enable" start_cmd="ipfs_start" stop_cmd="ipfs_stop" start_precmd="ipfs_prestart" ipfs_prestart() { # Do not continue if either ipnat or ipfilter is not enabled or # if the ipfilter module is not loaded. # if ! checkyesno ipfilter_enable -o ! checkyesno ipnat_enable ; then err 1 "${name} requires either ipfilter or ipnat enabled" fi if ! ${ipfilter_program:-/sbin/ipf} -V | grep -q 'Running: yes' >/dev/null 2>&1; then err 1 "ipfilter module is not loaded" fi return 0 } ipfs_start() { if [ -r /var/db/ipf/ipstate.ipf -a -r /var/db/ipf/ipnat.ipf ]; then ${ipfs_program} -R ${rc_flags} rm -f /var/db/ipf/ipstate.ipf /var/db/ipf/ipnat.ipf fi } ipfs_stop() { if [ ! -d /var/db/ipf ]; then mkdir /var/db/ipf chmod 700 /var/db/ipf chown root:wheel /var/db/ipf fi ${ipfs_program} -W ${rc_flags} } load_rc_config $name run_rc_command "$1" Index: user/ngie/detangle-rc/etc/rc.d/ipfw =================================================================== --- user/ngie/detangle-rc/etc/rc.d/ipfw (revision 299103) +++ user/ngie/detangle-rc/etc/rc.d/ipfw (revision 299104) @@ -1,115 +1,116 @@ #!/bin/sh # # $FreeBSD$ # -# PROVIDE: ipfw +# PROVIDE: ipfw FIREWALL # REQUIRE: ppp +# BEFORE: NETWORKING # KEYWORD: nojailvnet . /etc/rc.subr . /etc/network.subr name="ipfw" desc="Firewall, traffic shaper, packet scheduler, in-kernel NAT" rcvar="firewall_enable" start_cmd="ipfw_start" start_precmd="ipfw_prestart" start_postcmd="ipfw_poststart" stop_cmd="ipfw_stop" required_modules="ipfw" set_rcvar_obsolete ipv6_firewall_enable ipfw_prestart() { if checkyesno dummynet_enable; then required_modules="$required_modules dummynet" fi if checkyesno natd_enable; then required_modules="$required_modules ipdivert" fi if checkyesno firewall_nat_enable; then required_modules="$required_modules ipfw_nat" fi } ipfw_start() { local _firewall_type _firewall_type=$1 # set the firewall rules script if none was specified [ -z "${firewall_script}" ] && firewall_script=/etc/rc.firewall if [ -r "${firewall_script}" ]; then /bin/sh "${firewall_script}" "${_firewall_type}" echo 'Firewall rules loaded.' elif [ "`ipfw list 65535`" = "65535 deny ip from any to any" ]; then echo 'Warning: kernel has firewall functionality, but' \ ' firewall rules are not enabled.' echo ' All ip services are disabled.' fi # Firewall logging # if checkyesno firewall_logging; then echo 'Firewall logging enabled.' sysctl net.inet.ip.fw.verbose=1 >/dev/null fi if checkyesno firewall_logif; then ifconfig ipfw0 create echo 'Firewall logging pseudo-interface (ipfw0) created.' fi } ipfw_poststart() { local _coscript # Start firewall coscripts # for _coscript in ${firewall_coscripts} ; do if [ -f "${_coscript}" ]; then ${_coscript} quietstart fi done # Enable the firewall # if ! ${SYSCTL} net.inet.ip.fw.enable=1 1>/dev/null 2>&1; then warn "failed to enable IPv4 firewall" fi if afexists inet6; then if ! ${SYSCTL} net.inet6.ip6.fw.enable=1 1>/dev/null 2>&1 then warn "failed to enable IPv6 firewall" fi fi } ipfw_stop() { local _coscript # Disable the firewall # ${SYSCTL} net.inet.ip.fw.enable=0 if afexists inet6; then ${SYSCTL} net.inet6.ip6.fw.enable=0 fi # Stop firewall coscripts # for _coscript in `reverse_list ${firewall_coscripts}` ; do if [ -f "${_coscript}" ]; then ${_coscript} quietstop fi done } load_rc_config $name firewall_coscripts="/etc/rc.d/natd ${firewall_coscripts}" run_rc_command $* Index: user/ngie/detangle-rc/etc/rc.d/natd =================================================================== --- user/ngie/detangle-rc/etc/rc.d/natd (revision 299103) +++ user/ngie/detangle-rc/etc/rc.d/natd (revision 299104) @@ -1,44 +1,45 @@ #!/bin/sh # # $FreeBSD$ # # PROVIDE: natd +# REQUIRE: ipfw # KEYWORD: nostart nojail . /etc/rc.subr . /etc/network.subr name="natd" desc="Network Address Translation daemon" rcvar="natd_enable" command="/sbin/${name}" pidfile="/var/run/${name}.pid" start_precmd="natd_precmd" required_modules="ipdivert" natd_precmd() { if [ -n "${natd_interface}" ]; then dhcp_list="`list_net_interfaces dhcp`" for ifn in ${dhcp_list}; do case "${natd_interface}" in ${ifn}) rc_flags="$rc_flags -dynamic" ;; esac done if echo "${natd_interface}" | \ grep -q -E '^[0-9]+(\.[0-9]+){0,3}$'; then rc_flags="$rc_flags -a ${natd_interface}" else rc_flags="$rc_flags -n ${natd_interface}" fi fi return 0 } load_rc_config $name run_rc_command "$1" Index: user/ngie/detangle-rc/etc/rc.d/netif =================================================================== --- user/ngie/detangle-rc/etc/rc.d/netif (revision 299103) +++ user/ngie/detangle-rc/etc/rc.d/netif (revision 299104) @@ -1,272 +1,272 @@ #!/bin/sh # # Copyright (c) 2003 The FreeBSD Project. All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE PROJECT ``AS IS'' AND ANY EXPRESS OR # IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES # OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. # IN NO EVENT SHALL THE PROJECT BE LIABLE FOR ANY DIRECT, INDIRECT, # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT # NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF # THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # $FreeBSD$ # # PROVIDE: netif # REQUIRE: FILESYSTEMS iovctl serial sppp sysctl -# REQUIRE: hostid ipfilter ipfs +# REQUIRE: hostid # KEYWORD: nojailvnet . /etc/rc.subr . /etc/network.subr name="netif" desc="Network interface setup" rcvar="${name}_enable" start_cmd="netif_start" stop_cmd="netif_stop" wlanup_cmd="wlan_up" wlandown_cmd="wlan_down" cloneup_cmd="clone_up" clonedown_cmd="clone_down" clear_cmd="doclear" vnetup_cmd="vnet_up" vnetdown_cmd="vnet_down" extra_commands="cloneup clonedown clear vnetup vnetdown" cmdifn= set_rcvar_obsolete ipv6_enable ipv6_activate_all_interfaces set_rcvar_obsolete ipv6_prefer netif_start() { local _if # Set the list of interfaces to work on. # cmdifn=$* if [ -z "$cmdifn" ]; then # # We're operating as a general network start routine. # # disable SIGINT (Ctrl-c) when running at startup trap : 2 fi # Create IEEE802.11 interface wlan_up $cmdifn # Create cloned interfaces clone_up $cmdifn # Rename interfaces. ifnet_rename $cmdifn # Configure the interface(s). netif_common ifn_start $cmdifn if [ -f /etc/rc.d/ipfilter ] ; then # Resync ipfilter /etc/rc.d/ipfilter quietresync fi if [ -f /etc/rc.d/bridge -a -n "$cmdifn" ] ; then /etc/rc.d/bridge start $cmdifn fi if [ -f /etc/rc.d/routing -a -n "$cmdifn" ] ; then for _if in $cmdifn; do /etc/rc.d/routing static any $_if done fi } netif_stop() { _clone_down=1 _wlan_down=1 netif_stop0 $* } doclear() { _clone_down= _wlan_down= netif_stop0 $* } netif_stop0() { local _if # Set the list of interfaces to work on. # cmdifn=$* # Deconfigure the interface(s) netif_common ifn_stop $cmdifn # Destroy wlan interfaces if [ -n "$_wlan_down" ]; then wlan_down $cmdifn fi # Destroy cloned interfaces if [ -n "$_clone_down" ]; then clone_down $cmdifn fi if [ -f /etc/rc.d/routing -a -n "$cmdifn" ] ; then for _if in $cmdifn; do /etc/rc.d/routing stop any $_if done fi } vnet_up() { cmdifn=$* netif_common ifn_vnetup $cmdifn } vnet_down() { cmdifn=$* netif_common ifn_vnetdown $cmdifn } # netif_common routine # Common configuration subroutine for network interfaces. This # routine takes all the preparatory steps needed for configuriing # an interface and then calls $routine. netif_common() { local _cooked_list _tmp_list _fail _func _ok _str _cmdifn _func= if [ -z "$1" ]; then err 1 "netif_common(): No function name specified." else _func="$1" shift fi # Set the scope of the command (all interfaces or just one). # _cooked_list= _tmp_list= _cmdifn=$* if [ -n "$_cmdifn" ]; then # Don't check that the interface(s) exist. We need to run # the down code even when the interface doesn't exist to # kill off wpa_supplicant. # XXXBED: is this really true or does wpa_supplicant die? # if so, we should get rid of the devd entry _cooked_list="$_cmdifn" else _cooked_list="`list_net_interfaces`" fi # Expand epair[0-9] to epair[0-9][ab]. for ifn in $_cooked_list; do case ${ifn#epair} in [0-9]*[ab]) ;; # Skip epair[0-9]*[ab]. [0-9]*) for _str in $_cooked_list; do case $_str in $ifn) _tmp_list="$_tmp_list ${ifn}a ${ifn}b" ;; *) _tmp_list="$_tmp_list ${ifn}" ;; esac done _cooked_list=${_tmp_list# } ;; esac done _dadwait= _fail= _ok= for ifn in ${_cooked_list# }; do # Skip if ifn does not exist. case $_func in ifn_stop) if ! ${IFCONFIG_CMD} $ifn > /dev/null 2>&1; then warn "$ifn does not exist. Skipped." _fail="${_fail} ${ifn}" continue fi ;; esac if ${_func} ${ifn} $2; then _ok="${_ok} ${ifn}" if ipv6if ${ifn}; then _dadwait=1 fi else _fail="${_fail} ${ifn}" fi done # inet6 address configuration needs sleep for DAD. case ${_func}:${_dadwait} in ifn_start:1|ifn_vnetup:1|ifn_vnetdown:1) sleep `${SYSCTL_N} net.inet6.ip6.dad_count` sleep 1 ;; esac _str= if [ -n "${_ok}" ]; then case ${_func} in ifn_start) _str='Starting' ;; ifn_stop) _str='Stopping' ;; ifn_vnetup) _str='Moving' ;; ifn_vnetdown) _str='Reclaiming' ;; esac echo "${_str} Network:${_ok}." case ${_func} in ifn_vnetup) # Clear _ok not to do "ifconfig $ifn" # because $ifn is no longer in the current vnet. _ok= ;; esac if check_startmsgs; then for ifn in ${_ok}; do /sbin/ifconfig ${ifn} done fi fi debug "The following interfaces were not configured: $_fail" } # Load the old "network" config file also for compatibility. # This is needed for mfsBSD at least. load_rc_config network load_rc_config $name run_rc_command $* Index: user/ngie/detangle-rc/etc/rc.d/netwait =================================================================== --- user/ngie/detangle-rc/etc/rc.d/netwait (revision 299103) +++ user/ngie/detangle-rc/etc/rc.d/netwait (revision 299104) @@ -1,116 +1,116 @@ #!/bin/sh # $FreeBSD$ # # PROVIDE: netwait -# REQUIRE: devd ipfilter ipfw pf routing +# REQUIRE: devd FIREWALL routing # KEYWORD: nojail # # The netwait script helps handle two situations: # - Systems with USB or other late-attaching network hardware which # is initialized by devd events. The script waits for all the # interfaces named in the netwait_if list to appear. # - Systems with statically-configured IP addresses in rc.conf(5). # The IP addresses in the netwait_ip list are pinged. The script # waits for any single IP in the list to respond to the ping. If your # system uses DHCP, you should probably use synchronous_dhclient="YES" # in your /etc/rc.conf instead of netwait_ip. # Either or both of the wait lists can be used (at least one must be # non-empty if netwait is enabled). . /etc/rc.subr name="netwait" desc="Wait for network devices or the network being up" rcvar="netwait_enable" start_cmd="${name}_start" stop_cmd=":" netwait_start() { local ip rc count output link wait_if got_if any_error if [ -z "${netwait_if}" ] && [ -z "${netwait_ip}" ]; then err 1 "No interface or IP addresses listed, nothing to wait for" fi if [ ${netwait_timeout} -lt 1 ]; then err 1 "netwait_timeout must be >= 1" fi if [ -n "${netwait_if}" ]; then any_error=0 for wait_if in ${netwait_if}; do echo -n "Waiting for ${wait_if}" link="" got_if=0 count=1 # Handle SIGINT (Ctrl-C); force abort of while() loop trap break SIGINT while [ ${count} -le ${netwait_if_timeout} ]; do if output=`/sbin/ifconfig ${wait_if} 2>/dev/null`; then if [ ${got_if} -eq 0 ]; then echo -n ", interface present" got_if=1 fi link=`expr "${output}" : '.*[[:blank:]]status: \(no carrier\)'` if [ -z "${link}" ]; then echo ', got link.' break fi fi sleep 1 count=$((count+1)) done # Restore default SIGINT handler trap - SIGINT if [ ${got_if} -eq 0 ]; then echo ", wait failed: interface never appeared." any_error=1 elif [ -n "${link}" ]; then echo ", wait failed: interface still has no link." any_error=1 fi done if [ ${any_error} -eq 1 ]; then warn "Continuing with startup, but be aware you may not have " warn "a fully functional networking layer at this point." fi fi if [ -n "${netwait_ip}" ]; then # Handle SIGINT (Ctrl-C); force abort of for() loop trap break SIGINT for ip in ${netwait_ip}; do echo -n "Waiting for ${ip} to respond to ICMP ping" count=1 while [ ${count} -le ${netwait_timeout} ]; do /sbin/ping -t 1 -c 1 -o ${ip} >/dev/null 2>&1 rc=$? if [ $rc -eq 0 ]; then # Restore default SIGINT handler trap - SIGINT echo ', got response.' return fi count=$((count+1)) done echo ', failed: No response from host.' done # Restore default SIGINT handler trap - SIGINT warn "Exhausted IP list. Continuing with startup, but be aware you may" warn "not have a fully functional networking layer at this point." fi } load_rc_config $name run_rc_command "$1" Index: user/ngie/detangle-rc/etc/rc.d/pf =================================================================== --- user/ngie/detangle-rc/etc/rc.d/pf (revision 299103) +++ user/ngie/detangle-rc/etc/rc.d/pf (revision 299104) @@ -1,77 +1,77 @@ #!/bin/sh # # $FreeBSD$ # -# PROVIDE: pf +# PROVIDE: pf FIREWALL # REQUIRE: FILESYSTEMS netif pflog pfsync # BEFORE: routing # KEYWORD: nojail . /etc/rc.subr name="pf" desc="Packet filter" rcvar="pf_enable" load_rc_config $name start_cmd="pf_start" stop_cmd="pf_stop" check_cmd="pf_check" reload_cmd="pf_reload" resync_cmd="pf_resync" status_cmd="pf_status" extra_commands="check reload resync" required_files="$pf_rules" required_modules="pf" pf_start() { check_startmsgs && echo -n 'Enabling pf' $pf_program -F all > /dev/null 2>&1 $pf_program -f "$pf_rules" $pf_flags if ! $pf_program -s info | grep -q "Enabled" ; then $pf_program -eq fi check_startmsgs && echo '.' } pf_stop() { if $pf_program -s info | grep -q "Enabled" ; then echo -n 'Disabling pf' $pf_program -dq echo '.' fi } pf_check() { echo "Checking pf rules." $pf_program -n -f "$pf_rules" } pf_reload() { echo "Reloading pf rules." $pf_program -n -f "$pf_rules" || return 1 # Flush everything but existing state entries that way when # rules are read in, it doesn't break established connections. $pf_program -Fnat -Fqueue -Frules -FSources -Finfo -FTables -Fosfp > /dev/null 2>&1 $pf_program -f "$pf_rules" $pf_flags } pf_resync() { $pf_program -f "$pf_rules" $pf_flags } pf_status() { if ! [ -c /dev/pf ] ; then echo "pf.ko is not loaded" else $pf_program -s info fi } run_rc_command "$1" Index: user/ngie/detangle-rc/etc/rc.d/securelevel =================================================================== --- user/ngie/detangle-rc/etc/rc.d/securelevel (revision 299103) +++ user/ngie/detangle-rc/etc/rc.d/securelevel (revision 299104) @@ -1,30 +1,30 @@ #!/bin/sh # # $FreeBSD$ # # PROVIDE: securelevel -# REQUIRE: adjkerntz ipfw ipfilter pf +# REQUIRE: adjkerntz FIREWALL . /etc/rc.subr name="securelevel" desc="Securelevel configuration" rcvar='kern_securelevel_enable' start_cmd="securelevel_start" stop_cmd=":" # Last chance to set sysctl variables that failed the first time. # /etc/rc.d/sysctl lastload securelevel_start() { if [ ${kern_securelevel} -ge 0 ]; then echo 'Raising kernel security level: ' ${SYSCTL} kern.securelevel=${kern_securelevel} fi } load_rc_config $name run_rc_command "$1" Index: user/ngie/detangle-rc/etc/rc.d/static_ndp =================================================================== --- user/ngie/detangle-rc/etc/rc.d/static_ndp (revision 299103) +++ user/ngie/detangle-rc/etc/rc.d/static_ndp (revision 299104) @@ -1,74 +1,75 @@ #!/bin/sh # # Copyright (c) 2011 Xin Li # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # # Configure static NDP table # # $FreeBSD$ # # PROVIDE: static_ndp # REQUIRE: netif +# BEFORE: NETWORKING # KEYWORD: nojail . /etc/rc.subr . /etc/network.subr name="static_ndp" start_cmd="static_ndp_start" stop_cmd="static_ndp_stop" static_ndp_start() { local e ndp_args if [ -n "${static_ndp_pairs}" ]; then echo -n 'Binding static NDP pair(s):' for e in ${static_ndp_pairs}; do echo -n " ${e}" eval ndp_args=\$static_ndp_${e} ndp -s ${ndp_args} >/dev/null 2>&1 done echo '.' fi } static_ndp_stop() { local e ndp_args if [ -n "${static_ndp_pairs}" ]; then echo -n 'Unbinding static NDP pair(s):' for e in ${static_ndp_pairs}; do echo -n " ${e}" eval ndp_args=\$static_ndp_${e} ndp -d ${ndp_args%%[ ]*} > /dev/null 2>&1 done echo '.' fi } load_rc_config $name run_rc_command "$1"